Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: ames!decwrl!teraida!mikel@uunet.uu.net (Mikel Lechner)
Newsgroups: comp.sys.sun
Subject: Re: Are suid shell scripts using /bin/csh secure
Keywords: Software
Message-ID: <3053@teraida.UUCP>
Date: 31 Mar 89 05:08:48 GMT
References: <8902281107.AA16022@uk.ac.oxford.robots>
Sender: usenet@rice.edu
Organization: Teradyne EDA Inc., Santa Clara, Calif.
Lines: 24
Approved: Sun-Spots@rice.edu
Original-Date: Mon, 13 Mar 89 16:50:15 PST
X-Sun-Spots-Digest: Volume 7, Issue 218, message 9 of 17
X-Issue-Reference: v7n193

will%robots.oxford.ac.uk@nss.cs.ucl.ac.uk (Will Dickson) writes:
 >> I know of three common modes of attack on set-uid shell scripts, all of
 >> which I have failed to apply successfully to reasonably written shell
 >> scripts under /bin/csh, but are successful against scripts with /bin/sh
[stuff elided]
 >> The question is, are there any other ways in which shell scripts can be
 >> broken, and which shells do they apply to?

Yes, there is a very important security hole in set userid shell scripts
that has been discussed in other newgroups.  The problem is inherent in
the way the kernel invokes set userid shell scripts.  The set userid shell
that is invoked can be spoofed into running a script other than the one
that is intended.  I was able to verify the bug under SunOS 3.2 and 4.0
with a program I wrote.

The fix for this problem is for the shell to insure that the script it is
running is actually the one that caused it to be invoked.  Neither shell
does this check, therefore they are both insecure.  Best not to use set
userid shell scripts until this problem is fixed.

Mikel Lechner				UUCP:  {decwrl,sun}!teraida!mikel
Teradyne EDA				Phone: (408) 980-5200
5155 Old Ironsides Drive
Santa Clara, Ca 95054